CLAIMS 

What is claimed is: 

1 1. A policy-based network security management system, the system comprising: 

2 a security management controller comprising one or more processors; 

3 a computer-readable medium carrying one or more sequences of instructions for 

4 policy-based network security management, wherein execution of the one or 

5 more sequences of instructions by the one or more processors causes the one 

6 or more processors to perform the steps of: 

7 receiving a set of data regarding a user of a network; 

8 automatically deciding on a course of action based on the set of data, wherein 

9 the course of action may be adverse to the user although the set of data 

10 is insufficient to establish whether the user is performing a malicious 

1 1 action; and 

12 sending signals to one or more network elements in the network to implement 

13 the decision. 

1 2. The system of claim 1, wherein the set of data includes at least one or more alerts 

2 related to the user. 

1 3. The system of claim 1, wherein the signals include multiple alerts generated by 

2 multiple users; and the system further comprising sequences of instructions for 

3 correlating the multiple alerts to the multiple users. 

1 4. The system of claim 1 , wherein the set of data is a first set of data that is collected 

2 over a first duration of time; and the system fiirther comprising sequences of 

3 instructions for collecting a second set of data over a second duration of time, 

4 wherein the first duration of time is shorter than the second duration of time. 
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1 5. The system of claim 4 further comprising sequences of instructions for performing 

2 the steps of: 

3 assessing a risk level of the user harming the network based on the second set of data, 

4 wherein the second duration of time is sufficient to collect historical data 

5 regarding past malicious activities of the user; and 

6 assessing a current alert level based on the first set of data, wherein the first duration 

7 of time is of a length appropriate for assessing current activities of the user. 

1 6. The system of claim 1 or 5, further comprising sequences of instructions for 

2 performing the steps of: 

3 receiving signals related to an extemal source including at least an alert assessment 

4 relevant to the network as a whole; and 

5 creating and storing a current alert level value based on the alert assessment. 

1 7. The system of claim 1 , further comprising sequences of instructions for performing 

2 the steps of: 

3 receiving signals carrying performance information related to a health level of the 

4 network; and 

5 determining the course of action based at least in part on the set of data and the 

6 performance information. 

1 8. The system of claim 1 further comprising: 

2 a plurality of routers for routing information sent by users and servers to a variety of 

3 destinations; 

4 a subscriber management system for managing a network; 

5 a controller for executing the sequences of instructions; 

6 a network element for generating input for the set of data; and 

7 sequences of instructions for sending signals to the network elements. 
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19. A computer-readable medium carrying one or more sequences of instructions for 

2 providing policy-based network security management, wherein execution of the one 

3 or more sequences of instructions by one or more processors causes the one or more 

4 processors to perform the steps of: 

5 receiving signals carrying network performance information regarding health of a 

6 network and resource performance information regarding health of resources 

7 used by a network; 

8 assessing a health level based on the network performance information and the 

9 resource performance infomiation; and 

10 sending signals carrying information affecting use of the network based on at least the 

1 1 health level. 

1 10. A computer-readable medium as recited in claim 9, further comprising the steps of: 

2 receiving signals related to one or more alerts; 

3 associating with the user at least the one or more alerts within a current alert dataset 

4 that establishes a current alert level for the user. 

1 11. A computer-readable medium as recited in claim 9, further comprising the step of 

2 establishing a user alert. 

1 12. A computer-readable medium as recited in claim 9, further comprising the steps of: 

2 receiving signals related to one or more alerts; 

3 associating with a user at least the one or more alerts within a historical dataset of 

4 alert related information that establishes a user risk level for the user. 

1 13. A computer-readable medium as recited in Claim 9, wherein the step of sending 

2 signals further comprises the steps of: 

3 deciding on a course of action based on at least a user risk level, a current alert level, 

4 and the health level, and 
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wherein the information affecting the use of the network based on at least the health 
level is based on at least the course of action and is based on the health level 
as a result of being based on the course of action. 



1 14. A computer-readable medium as recited in claim 10, wherein the deciding step 

2 includes at least 

3 determining a user risk state from a user risk level, determining a current alert state 

4 from a current alert level, and determining a health state from the health level; 

5 and 

6 wherein the information affecting the use of the network is based on at least the 

7 health level as a result of being is based on at least the user risk state, the 

8 current alert state, and the health state. 

1 15. A policy-based network security management system, the system comprising: 

2 a security management controller comprising one or more processors; and the 

3 computer readable medium of claim 9. 

1 16. A method of providing policy-based network security management, comprising the 

2 steps of: 

3 receiving a set of data regarding a user of a network; 

4 automatically deciding on a course of action based on the set of data, wherein the 

5 course of action may be adverse to the user although the set of data is 

6 insufficient to establish whether the user is performing a malicious action; and 

7 sending signals to one or more network elements in the network to implement the 

8 decision. 

1 17. The method of claim 16 wherein the set of data includes at least one or more alerts 

2 related to the user. 
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1 18. The method of claim 16, wherein the signals include multiple alerts generated by 

2 multiple users, and the method further comprises correlating the multiple alerts to the 

3 multiple users. 

1 19. The method of claim 16, wherein the set of data is a first set of data, which was 

2 collected over a first duration of time, and the method fiirther comprising the step of 

3 collecting a second set of data over a second duration of time, wherein the first 

4 duration of time is significantly shorter than the second duration of time. 

1 20. The method of claim 19, wherein the second set of data is used to assess a risk level 

2 of the user harming a network, and the second duration of time is sufficient to collect 

3 historical data regarding past malicious activities of the user; and the first set of data 

4 is used to assess a current alert level, and the first duration of time is of a length 

5 appropriate for assessing current activities of the user. 

1 21 . The method of claim 19 further comprising receiving signals related to an external 

2 source including an alert assessment relevant to the network as a whole, wherein the 

3 current alert level is also based on the alert assessment. 

1 22. The method of claim 16 further comprising receiving signals carrying performance 

2 information related to a health level of the network, wherein the course of action is 

3 based on the set of data and the performance information. 

1 23. A method of policy-based network security management, comprising the computer- 

2 implemented steps of: 

3 receiving one or more signals carrying network performance information regarding 

4 health of one or more network devices in a network, and resource 
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5 performance information regarding health of one or more resources used by 

6 the network; 

7 assessing an overall network health level based on the network performance and the 

8 resource performance; and 

9 sending signals carrying information affecting use of the network based on the overall 
1 0 network health level. 

1 24. The method of claim 23 further comprising: 

2 receiving signals related to one or more alerts; 

3 including at least the one or more alerts within a historical dataset of alert related 

4 information that establishes a user risk level for a user; and 

5 including at least the one or more alerts within a current alert dataset that establishes a 

6 current alert level. 

1 25. The method of claim 23, wherein the sending step further comprising the steps of: 

2 deciding on a course of action based on at least a user risk level, a current alert level, 

3 and the overall network health level, and 

4 the information affecting the use of the network includes at least information for 

5 carrying out the course of action. 

1 26. The method of claim 23, wherein the deciding step includes at least the steps of: 

2 determining a user risk state from a user risk level; 

3 determining a current alert state from a current alert level; and 

4 determining a health state from the overall network health level; and 

5 wherein the information affecting the use of the network is based on at least the 

6 health level as a result of being based on at least the user risk state, the 

7 current alert state, and the health state. 
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1 27. A method of policy-based network security management, comprising the computer- 

2 implemented steps of 

3 collecting network performance statistics related to an overall health of a network and 

4 individual performance statistics of one or more individual units of the network, 

5 the collecting being performed by a performance management system; 

6 sending the performance statistics to a controller for analysis; 

7 computing an overall health state from a health level based on the network performance 

8 statistics and the individual performance statistics, using the controller; 



9 reading extemal alert data from an extemal alert source, using the controller; 

10 collecting security event data from the network; 

1 1 sending the security event data to a fault management system; 

12 using the fault management system for 



13 checking for dupUcations in the security event data, and 

14 deduplicating dupUcate security events in the security event data; 

1 5 calculating an alert state from an alert level based on the security event data from the 

16 fault management system and the extemal alert data; 

17 obtaining user information from a subscriber management system; 

18 correlating the security event data from the fault management system with the subscriber 

19 information to form correlated security event data; 

20 reading extemal user risk data from an extemal user risk source into the controller; 

21 calculating a user risk state from a user risk level based on the correlated security event 

22 data and from the extemal user risk data, using the controller; 



-43- 

50325-0800 (Sequence No. 7503) 



23 calculating a decision regarding whether to take corrective action based on the overall 

24 health state, the alert state, and the user risk state, using the controller; 

25 sending the decision from the controller to the subscriber management system; and 

26 sending directives, related to the decision, from subscriber management system to the 

27 network. 



1 28. A system comprising: 

2 a fault managements system for 

3 receiving network security data and 

4 deduplicating duplicate indications of security events in the network security data 

5 to form deduplicated security event information; 

6 a subscriber management system for managing subscribers using a network, 

7 the subscriber management system 

8 having user information data about individual users and 

9 being capable of sending directives to individual users based on a decision 

10 to take corrective action toward the individual users; 

1 1 wherein the dedupUcated network security data from the fault management system is 

12 correlated to the subscriber information to form correlated network security data; 

13 a performance management system for receiving 

14 overall performance data related to an overall health of a network and 

15 individual performance data related to a health of one or more individual units of 

16 the network; 

17 a controller for 
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18 receiving 

19 external alert data from an external alert source, 

20 external user risk data from an extemal user risk source, 

21 the deduplicated network security event information, 

22 the correlated network security information, 

23 the overall performance data, and 

24 the individual performance data, and 

25 computing 

26 an alert state from an alert level. based on at least the extemal alert data 

27 and the deduplicated network security event data, 

28 a user risk state from at least the extemal user risk data and a user risk 

29 level based on the correlated network security event data, 

30 a health state from a health level based on at least the overall performance 

31 data and the individual performance data, and 

32 the decision whether to take corrective action based on at least the alert 

33 state, the user risk state, and the health state, and 

34 causing directives that implement the decision to be sent to the network . 
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